PT-2021-11427 · Dex · Dex

Published

2021-04-14

Updated

2021-12-20

CVE-2020-27847

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: dex versions prior to 2.27.0

Description: A flaw in the SAML connector of the dex library allows an attacker to bypass SAML authentication, posing a threat to confidentiality, integrity, and system availability. This issue arises due to the behavior of encoding/xml, where a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, making an unsigned document appear signed.

Recommendations: For versions prior to 2.27.0, update to version 2.27.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the SAML connector until a patch is applied. Avoid using the SAML connector for authentication until the issue is resolved.

Fix

Authentication Bypass by Spoofing

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290CWE-347CWE-228

Related Identifiers

CVE-2020-27847

GHSA-2X32-JM95-2CPX

GHSA-M9HP-7R99-94H5

GO-2020-0050

Affected Products

Dex

PT-2021-11427 · Dex · Dex

CVE-2020-27847

Weakness Enumeration

Related Identifiers

Affected Products

References · 18